github
diff --git a/‎CODEOWNERS‎
Lines changed: 1 addition & 0 deletions b/‎CODEOWNERS‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 3 additions & 0 deletions b/‎change-notes/1.19/analysis-cpp.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 5 additions & 3 deletions b/‎change-notes/1.19/analysis-csharp.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎change-notes/1.19/analysis-java.md‎
Lines changed: 7 additions & 0 deletions b/‎change-notes/1.19/analysis-java.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.19/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql‎
Lines changed: 27 additions & 0 deletions b/‎cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql‎
Lines changed: 15 additions & 5 deletions b/‎cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/commons/Buffer.qll‎
Lines changed: 35 additions & 31 deletions b/‎cpp/ql/src/semmle/code/cpp/commons/Buffer.qll‎
Lines changed: 35 additions & 31 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll‎
Lines changed: 7 additions & 1 deletion b/‎cpp/ql/src/semmle/code/cpp/controlflow/SSAUtils.qll‎
Lines changed: 7 additions & 1 deletion
@@ -1,3 +1,4 @@
 /csharp/ @Semmle/cs
 /java/ @Semmle/java
 /javascript/ @Semmle/js
+/cpp/ @Semmle/cpp-analysis
@@ -15,13 +15,16 @@
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Empty branch of conditional | Fewer false positive results | The query now recognizes commented blocks more reliably. |
 | Resource not released in destructor | Fewer false positive results | Placement new is now excluded from the query. Also fixed an issue where false positives could occur if the destructor body was not in the snapshot. |
 | Missing return statement (`cpp/missing-return`) | Visible by default | The precision of this query has been increased from 'medium' to 'high', which makes it visible by default in LGTM. It was 'medium' in release 1.17 and 1.18 because it had false positives due to an extractor bug that was fixed in 1.18. |
 | Missing return statement | Fewer false positive results | The query is now produces correct results when a function returns a template-dependent type. |
 | Call to memory access function may overflow buffer | More correct results | Array indexing with a negative index is now detected by this query. |
+| Suspicious call to memset | Fewer false positive results | Types involving decltype are now correctly compared. |
 | Suspicious add with sizeof | Fewer false positive results | Arithmetic with void pointers (where allowed) is now excluded from this query. |
 | Wrong type of arguments to formatting function | Fewer false positive results | False positive results involving typedefs have been removed.  Expected argument types are determined more accurately, especially for wide string and pointer types.  Custom (non-standard) formatting functions are also identified more accurately. |
 
 ## Changes to QL libraries
 
 * Added a hash consing library for structural comparison of expressions.
+* `getBufferSize` now detects variable size structs more reliably.
@@ -2,8 +2,10 @@
 
 ## General improvements
 
-* The control flow graph construction now takes simple Boolean conditions on local scope variables into account. For example, in `if (b) x = 0; if (b) x = 1;`, the control flow graph will reflect that taking the `true` (resp. `false`) branch in the first condition implies taking the same branch in the second condition. In effect, the first assignment to `x` will now be identified as being dead.
-
+* Control flow graph improvements:
+  * The control flow graph construction now takes simple Boolean conditions on local scope variables into account. For example, in `if (b) x = 0; if (b) x = 1;`, the control flow graph will reflect that taking the `true` (resp. `false`) branch in the first condition implies taking the same branch in the second condition. In effect, the first assignment to `x` will now be identified as being dead.
+  * Code that is only reachable from a constant failing assertion, such as `Debug.Assert(false)`, is considered to be unreachable.
+  
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
@@ -13,7 +15,7 @@
 ## Changes to existing queries
 
 | Inconsistent lock sequence (`cs/inconsistent-lock-sequence`) | More results | This query now finds inconsistent lock sequences globally across calls. |
-
+| Local scope variable shadows member (`cs/local-shadows-member`) | Fewer results | Results have been removed where a constructor parameter shadows a member, because the parameter is probably used to initialize the member. |
 | *@name of query (Query ID)*| *Impact on results*    | *How/why the query has changed*                                  |
 
 
 
@@ -6,16 +6,23 @@
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Missing catch of NumberFormatException (`java/uncaught-number-format-exception`) | reliability, external/cwe/cwe-248 | Finds calls to `Integer.parseInt` and similar string-to-number conversions that might raise a `NumberFormatException` without a corresponding `catch`-clause. |
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Array index out of bounds (`java/index-out-of-bounds`) | Fewer false positive results | False positives involving arrays with a length evenly divisible by 3 or some greater number and an index being increased with a similar stride length are no longer reported. |
+| Query built from user-controlled sources (`java/sql-injection`) | More results | Sql injection sinks from the Spring JDBC, MyBatis, and Hibernate frameworks are now reported. |
+| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | Sql injection sinks from the Spring JDBC, MyBatis, and Hibernate frameworks are now reported. |
 | Unreachable catch clause (`java/unreachable-catch-clause`) | Fewer false positive results | This rule now accounts for calls to generic methods that throw generic exceptions. |
 | Useless comparison test (`java/constant-comparison`) | Fewer false positive results | Constant comparisons guarding `java.util.ConcurrentModificationException` are no longer reported, as they are intended to always be false in the absence of API misuse. |
 
 ## Changes to QL libraries
 
+* The default set of taint sources in the `FlowSources` library is extended to
+  cover parameters annotated with Spring framework annotations indicating
+  remote user input from servlets. This affects all security queries, which
+  will yield additional results on projects using the Spring Web framework.
 * The `ParityAnalysis` library is replaced with the more general `ModulusAnalysis` library, which improves the range analysis.
 
@@ -38,6 +38,7 @@
 | Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
 | User-controlled bypass of security check | Fewer results | This rule no longer flags conditions that guard early returns. The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. | 
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
+| Unused import | Fewer false-positive results | This rule no longer flags imports used by the `transform-react-jsx` Babel plugin. |
 
 ## Changes to QL libraries
 
 
@@ -29,6 +29,10 @@ class AffectedFile extends File {
   }
 }
 
+/**
+ * A block, or an element we might find textually within a block that is
+ * not a child of it in the AST.
+ */
 class BlockOrNonChild extends Element {
   BlockOrNonChild() {
     ( this instanceof Block
@@ -68,6 +72,9 @@ class BlockOrNonChild extends Element {
   }
 }
 
+/**
+ * A block that contains a non-child element.
+ */
 predicate emptyBlockContainsNonchild(Block b) {
   emptyBlock(_, b) and
   exists(BlockOrNonChild c, AffectedFile file |
@@ -78,7 +85,27 @@ predicate emptyBlockContainsNonchild(Block b) {
   )
 }
 
+/**
+ * A block that is entirely on one line, which also contains a comment.  Chances
+ * are the comment is intended to refer to the block.
+ */
+predicate lineComment(Block b) {
+  emptyBlock(_, b) and
+  exists(Location bLocation, File f, int line |
+    bLocation = b.getLocation() and
+    f = bLocation.getFile() and
+    line = bLocation.getStartLine() and
+    line = bLocation.getEndLine() and
+    exists(Comment c, Location cLocation |
+      cLocation = c.getLocation() and
+      cLocation.getFile() = f and
+      cLocation.getStartLine() = line
+    )
+  )
+}
+
 from ControlStructure s, Block eb
 where emptyBlock(s, eb)
   and not emptyBlockContainsNonchild(eb)
+  and not lineComment(eb)
 select eb, "Empty block without comment"
@@ -48,6 +48,7 @@ where exists
     ctls.getControllingExpr() = e1
     and e1.getType().(TypedefType).hasName("HRESULT")
     and not isHresultBooleanConverted(e1)
+    and not ctls instanceof SwitchStmt // not controlled by a boolean condition
     and msg = "Direct usage of a type " + e1.getType().toString() + " as a conditional expression"
   ) 
   or
 
@@ -25,7 +25,7 @@ predicate pointerThis(Expr e) {
   // `f(...)`
   // (includes `this = ...`, where `=` is overloaded so a `FunctionCall`)
   exists(FunctionCall fc | fc = e and callOnThis(fc) |
-    exists(fc.getTarget().getBlock()) implies returnsPointerThis(fc.getTarget())
+    returnsPointerThis(fc.getTarget())
   ) or
 
   // `this = ...` (where `=` is not overloaded, so an `AssignExpr`) 
@@ -38,22 +38,33 @@ predicate dereferenceThis(Expr e) {
   // `f(...)`
   // (includes `*this = ...`, where `=` is overloaded so a `FunctionCall`)
   exists(FunctionCall fc | fc = e and callOnThis(fc) |
-    exists(fc.getTarget().getBlock()) implies returnsDereferenceThis(fc.getTarget())
+    returnsDereferenceThis(fc.getTarget())
   ) or
 
   // `*this = ...` (where `=` is not overloaded, so an `AssignExpr`) 
   dereferenceThis(e.(AssignExpr).getLValue())
 }
 
+/**
+ * Holds if all `return` statements in `f` return `this`, possibly indirectly.
+ * This includes functions whose body is not in the database.
+ */
 predicate returnsPointerThis(Function f) {
-  forex(ReturnStmt s | s.getEnclosingFunction() = f |
+  f.getType().getUnspecifiedType() instanceof PointerType and
+  forall(ReturnStmt s | s.getEnclosingFunction() = f and reachable(s) |
     // `return this`
     pointerThis(s.getExpr())
   )
 }
 
+/**
+ * Holds if all `return` statements in `f` return a reference to `*this`,
+ * possibly indirectly. This includes functions whose body is not in the
+ * database.
+ */
 predicate returnsDereferenceThis(Function f) {
-  forex(ReturnStmt s | s.getEnclosingFunction() = f |
+  f.getType().getUnspecifiedType() instanceof ReferenceType and
+  forall(ReturnStmt s | s.getEnclosingFunction() = f and reachable(s) |
     // `return *this`
     dereferenceThis(s.getExpr())
   )
@@ -72,7 +83,6 @@ predicate assignOperatorWithWrongType(Operator op, string msg) {
 predicate assignOperatorWithWrongResult(Operator op, string msg) {
   op.hasName("operator=")
   and not returnsDereferenceThis(op)
-  and exists(op.getBlock())
   and not op.getType() instanceof VoidType
   and not assignOperatorWithWrongType(op, _)
   and msg = "Assignment operator in class " + op.getDeclaringType().getName() + " does not return a reference to *this."
 
@@ -1,29 +1,6 @@
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
-/**
- * Holds if `sizeof(s)` occurs as part of the parameter of a dynamic
- * memory allocation (`malloc`, `realloc`, etc.), except if `sizeof(s)`
- * only ever occurs as the immediate parameter to allocations.
- *
- * For example, holds for `s` if it occurs as
- * ```
- * malloc(sizeof(s) + 100 * sizeof(char))
- * ```
- * but not if it only ever occurs as
- * ```
- * malloc(sizeof(s))
- * ```
-*/
-private predicate isDynamicallyAllocatedWithDifferentSize(Class s) {
-  exists(SizeofTypeOperator sof |
-    sof.getTypeOperand().getUnspecifiedType() = s |
-    // Check all ancestor nodes except the immediate parent for
-    // allocations.
-    isStdLibAllocationExpr(sof.getParent().(Expr).getParent+())
-  )
-}
-
 /**
  * Holds if `v` is a member variable of `c` that looks like it might be variable sized in practice.  For
  * example:
@@ -34,15 +11,40 @@ private predicate isDynamicallyAllocatedWithDifferentSize(Class s) {
  * };
  * ```
  * This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.  In addition,
- * there must be at least one instance where a `c` pointer is allocated with additional space. 
+ * there must be at least one instance where a `c` pointer is allocated with additional space.  For
+ * example, holds for `c` if it occurs as
+ * ```
+ * malloc(sizeof(c) + 100 * sizeof(char))
+ * ```
+ * but not if it only ever occurs as
+ * ```
+ * malloc(sizeof(c))
+ * ``` 
  */
 predicate memberMayBeVarSize(Class c, MemberVariable v) {
   exists(int i |
+    // `v` is the last field in `c`
     i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
     v = c.getCanonicalMember(i) and
-    v.getType().getUnspecifiedType().(ArrayType).getSize() <= 1
-  ) and
-  isDynamicallyAllocatedWithDifferentSize(c)
+
+    // v is an array of size at most 1
+    v.getType().getUnspecifiedType().(ArrayType).getArraySize() <= 1
+  ) and (
+    exists(SizeofOperator so |
+      // `sizeof(c)` is taken
+      so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
+      so.(SizeofExprOperator).getExprOperand().getType().getUnspecifiedType() = c |
+
+      // arithmetic is performed on the result
+      so.getParent*() instanceof AddExpr
+    ) or exists(AddressOfExpr aoe |
+      // `&(c.v)` is taken
+      aoe.getAddressable() = v
+    ) or exists(BuiltInOperationOffsetOf oo |
+      // `offsetof(c, v)` using a builtin
+      oo.getAChild().(VariableAccess).getTarget() = v
+    )
+  )
 }
 
 /**
@@ -81,19 +83,21 @@ int getBufferSize(Expr bufferExpr, Element why) {
     // buffer is a fixed size dynamic allocation
     isFixedSizeAllocationExpr(bufferExpr, result) and
     why = bufferExpr
-  ) or (
+  ) or exists(DataFlow::ExprNode bufferExprNode |
     // dataflow (all sources must be the same size)
+    bufferExprNode = DataFlow::exprNode(bufferExpr) and
+ 
     result = min(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       getBufferSize(def, _)
     ) and result = max(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       getBufferSize(def, _)
     ) and
 
     // find reason
     exists(Expr def |
-      DataFlow::localFlowStep(DataFlow::exprNode(def), DataFlow::exprNode(bufferExpr)) |
+      DataFlow::localFlowStep(DataFlow::exprNode(def), bufferExprNode) |
       why = def or
       exists(getBufferSize(def, why))
     )
 
@@ -124,11 +124,17 @@ cached library class SSAHelper extends int {
      * Modern Compiler Implementation by Andrew Appel.
      */
     private predicate frontier_phi_node(LocalScopeVariable v, BasicBlock b) {
-        exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn(v, _, x, _))
+        exists(BasicBlock x | dominanceFrontier(x, b) and ssa_defn_rec(v, x))
         /* We can also eliminate those nodes where the variable is not live on any incoming edge */
         and live_at_start_of_bb(v, b)
     }
 
+    private predicate ssa_defn_rec(LocalScopeVariable v, BasicBlock b) {
+        phi_node(v, b)
+        or
+        variableUpdate(v, _, b, _)
+    }
+  
     /**
      * Holds if `v` is defined, for the purpose of SSA, at `node`, which is at
      * position `index` in block `b`. This includes definitions from phi nodes.
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ where exists`
`48`	`48`	`ctls.getControllingExpr() = e1`
`49`	`49`	`and e1.getType().(TypedefType).hasName("HRESULT")`
`50`	`50`	`and not isHresultBooleanConverted(e1)`
	`51`	`+ and not ctls instanceof SwitchStmt // not controlled by a boolean condition`
`51`	`52`	`and msg = "Direct usage of a type " + e1.getType().toString() + " as a conditional expression"`
`52`	`53`	`)`
`53`	`54`	`or`